Class ConfluentTrustManager
java.lang.Object
javax.net.ssl.X509ExtendedTrustManager
io.confluent.kafka.server.plugins.ssl.ConfluentTrustManager
- All Implemented Interfaces:
TrustManager, X509TrustManager
- Direct Known Subclasses:
NetworkLinkTrustManager
Custom trust manager for validating client and server certificates in Confluent Cloud.
This trust manager supports multiple certificate validation strategies for inbound connections where the broker acts as a TLS server accepting mTLS client authentication:
Certificate Validation Priority:
- SPIRE Validation: If SPIRE is enabled, validates client certificates using the SPIFFE trust manager for service-to-service authentication.
- Server Certificate as Client Certificate: If
useServerCertForClientAuthis enabled, accepts server certificates (e.g., Let's Encrypt) for client authentication by usingcheckServerTrusted()instead ofcheckClientTrusted(). This bypasses EKU (Extended Key Usage) validation that would reject server-only certs. - Default Validation: Validates that the certificate belongs to Confluent Cloud by checking the Subject Alternative Name (SAN), then delegates to the default trust manager for chain validation.
Configuration:
ConfluentConfigs.SPIRE_SERVERSIDE_VALIDATION_ENABLED- Enable SPIRE validation on server-sideConfluentConfigs.MTLS_USE_SERVER_CERT_FOR_CLIENT_AUTH_SERVERSIDE_ENABLED- Accept server certificates for client authentication on server-side (supports dynamic configuration update)
-
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionConfluentTrustManager(Map<String, ?> configs, X509ExtendedTrustManager defaultTrustManager) -
Method Summary
Modifier and TypeMethodDescriptionvoidcheckClientTrusted(X509Certificate[] x509Certificates, String authType) voidcheckClientTrusted(X509Certificate[] x509Certificates, String authType, Socket socket) voidcheckClientTrusted(X509Certificate[] x509Certificates, String authType, SSLEngine sslEngine) voidcheckServerTrusted(X509Certificate[] x509Certificates, String authType) voidcheckServerTrusted(X509Certificate[] x509Certificates, String authType, Socket socket) voidcheckServerTrusted(X509Certificate[] x509Certificates, String authType, SSLEngine sslEngine) Returns the accepted CA issuers for client authentication.booleanverifyClientCerts(X509Certificate[] x509Certificates) booleanverifyServerCerts(X509Certificate[] x509Certificates)
-
Field Details
-
MIN_REMOTE_CLIENT_CERT_EXPIRY_MS
- See Also:
-
METRICS_GROUP
- See Also:
-
SPIRE_VALIDATION_SUCCESS_TOTAL
- See Also:
-
SPIRE_VALIDATION_SUCCESS_RATE
- See Also:
-
SPIRE_VALIDATION_FAILURE_TOTAL
- See Also:
-
SPIRE_VALIDATION_FAILURE_RATE
- See Also:
-
SERVER_CERT_VALIDATION_SUCCESS_TOTAL
- See Also:
-
SERVER_CERT_VALIDATION_SUCCESS_RATE
- See Also:
-
SERVER_CERT_VALIDATION_FAILURE_TOTAL
- See Also:
-
SERVER_CERT_VALIDATION_FAILURE_RATE
- See Also:
-
-
Constructor Details
-
ConfluentTrustManager
-
-
Method Details
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] x509Certificates, String authType, Socket socket) throws CertificateException - Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] x509Certificates, String authType, Socket socket) throws CertificateException - Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] x509Certificates, String authType, SSLEngine sslEngine) throws CertificateException - Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] x509Certificates, String authType, SSLEngine sslEngine) throws CertificateException - Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] x509Certificates, String authType) throws CertificateException - Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] x509Certificates, String authType) throws CertificateException - Throws:
CertificateException
-
getAcceptedIssuers
Returns the accepted CA issuers for client authentication.This list is sent to clients in the TLS CertificateRequest message (certificate_authorities extension). Clients use this to decide which certificate to present.
When SPIRE is enabled, this returns both:
- Default (Let's Encrypt) CAs
- SPIRE trust bundle CAs
-
verifyClientCerts
- Throws:
CertificateException
-
verifyServerCerts
- Throws:
CertificateException
-